[Samba] Password Resets as root

[Volker Lendecke]

On Mon, Jul 11, 2011 at 10:45:21AM -0500, John P Janosik wrote:
> I've got a cluster of Samba servers with security=user and a ctdb passdb 
> backend.  I need to keep the passwords for the users in sync with another 
> system, which will pass me userid and password for each change and reset. 
> My question is what is the simplest way to do the password reset for a 
> user as root on one of the Samba servers.  I need to allow the user to 
> change their password immediately after reset despite the presence of a 
> minimum password age policy in the case of reset.  It seems windows does 
> this by setting one of the password time fields to 0 to mean "password 
> must change at next login" for this case.  If I use "smbpasswd -s" as root 
> the password is changed as I want, but the user cannot change the password 
> until the next day.  I didn't see a way to set this flag via any of the 
> Samba tools as root.
> 
> I was able to get this working via rpcclient by mimicking an admin 
> password reset from a Windows machine, but this required having access to 
> the password for an admin account available to the automation. 
> 
> I ended up patching pdbedit to add a new option "  -Y, --pw-must-change    
>      set password must change flag" and call this after setting the pw. 
> Does anyone know if there is another way to accomplish this so I don't 
> have to patch Samba at each release?  If there is no way with the current 
> tools would a patch be accepted to add this?

First, such a patch would be appreciated, although pdbedit
is a bit deprecated. Try "net sam set pwdmustchangenow".

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen